Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

How to manage connections to 100 sap systems for different clients

ray_mannion
Participant
0 Kudos
457

We are an SAP add-on partner with a namespace, etc and have hundreds of SAP systems we need to be able to access.

I'm wondering how other SAP software companies and even consulting companies manage to support dozens of customers at a time without installing a VPN for every client.

We have figured out a way through port forwarding that I won't try to explain but I thought perhaps there was a more standard solution offered by SAP.

For example, when SAP needs to log into a system, they use some type of SM59 connection right?

We of course have our own licensed SAP installation so I'm wondering if there is something there that would allow us to connect to our clients SAP system securely.

Thanks for any suggestions and references to helpful articles

1 REPLY 1

marco_hammel2
Participant
0 Kudos
255

Hi twenty_d_energizer ,

Giving a specific answer to your question requires a lot more context. However, I'm happy to share some of my experience on this topic with you:

  • SAP Support connects via their support backbone through a SAProuter that needs to up and correctly configured to a customer's SAP system. At least at the time of the support activity the SAProuter needs to be exposed to the internet. Finally, the DIAG protocol is tunneled through RFC that's routed to the customer's system. The customer needs to provide the SAP support a user and credentials.
  • In case you needs application-level access VPN's are typically not a good choice. As you recognized, the use of VPNs don't scale across organizations. In general VPN's provide IP-level and not service level access (even though those who are in control of VPN gateways can limit access to ports etc.). Most of the time a more secure and reliable solution is to access only the required services through encrypted network protocols (like SNC for RFC and DIAG). through strong authentication, at best in combination with network-level access control. There are some limitations with SAP-proprietary protocols, but it's a common use case for web-based service to work in combination with a WAF, or an identity aware proxy for pre-authentication before the actual service is accessed. But again, it depends on what your access use cases are.
  • A common problem with remote access on scale is different firewall and network configurations at different clients. Specifically when the network access is via NAT. In this case, it can be necessary to work with peer-to-peer tunneling protocols, or reverse created tunnels. For example, when IP/host-level access is required, one option can be that your client's initiate a tunnel to a VPN gateway controlled by you and you access the environment of the client through this tunnel. Again, what technology and concept works for you depends on the use case and what your clients can operate.

Best

Marco